Observing difference in Access list for BigQuery datasets

Question

Observing difference in Access list for BigQuery datasets

shj-18 opened this issue a year ago · 5 comments

TL;DR

We observed a change in the access list of newly created datasets while using Terraform module v5.4.2. This change was not observed in v5.4.1.

This behavior seems to have been mitigated by the patch merged in late 2022. #157

But we are observing the same behavior as before the patch.

Should we be experiencing the behavior that was observed before the patch at present, given that the bug was fixed in late 2022 ?
Can you also explain what made the ACL to change between v5.4.1 and v5.4.2 ?

Terraform Configuration

source = "terraform-google-modules/bigquery/google"
version = "~5.4.2"

Answer 1 · 2023-09-13T19:31:10.000Z

I'm unable reproduce this issue locally. I've tried a sample configuration closely resembling what you've provided here with both v5.4.1, v5.4.2 and the latest version. None of them provision access to project Viewers as Big Query Data Viewer at the dataset level.

To further investigate this, can you:

share the output of terraform version for the root config.
share the complete configuration that reproduces the issue for you.

Answer 2 · 2023-09-15T16:31:29.000Z

Terraform version v1.0.0.

Attached the locals.tf and main.tf files

locals.txt

main.txt

Answer 3 · 2023-09-15T17:28:41.000Z

I noticed this block:

resource "google_bigquery_dataset_iam_member" "google_dataset_iam_member_read_assignment" {
  count      = local.combined_dataset_read_accounts != null ? length(local.combined_dataset_read_accounts) : 0
  project    = var.project_id
  dataset_id = module.bigquery.bigquery_dataset.dataset_id
  role       = local.combined_dataset_read_accounts[count.index].role
  member     = local.combined_dataset_read_accounts[count.index].user
}

which is primarily responsible for setting the roles/bigquery.dataViewer role on the dataset. There are no variables configs present here but depending on what you set in var.dataset_read_accounts will drive the dataset reader permissions for the accounts.

Answer 4 · 2023-09-19T16:41:51.000Z

Pasting the version details.

terraform {

  required_providers {

    google = {

      source  = "hashicorp/google"

      version = "~> 4.60.2"

    }


    google-beta = {

      source  = "hashicorp/google-beta"

      version = "~> 4.60.2"

    }

  }

}

Answer 5 · 2023-11-18T23:00:26.000Z

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days